Recently, IBM officially issued a notice to fix the remote code execution (CVE-2020-4450) vulnerability in WebSphere Application Server (WAS). This vulnerability was caused by the deserialization of the IIOP protocol. Attackers can remotely attack the WAS server through the IIOP protocol, execute arbitrary code on the target server, obtain system permissions, and then take over the server. The CVSS score is 9.8, and the vulnerability risk is relatively high.

WebSphere Application Server is a software product that performs the role of a web application server. More specifically, it is a software framework and middleware that hosts Java-based web applications. It is the flagship product within IBM’s WebSphere software suite.

Affected version

WebSphere Application Server 9.0.0.0 – 9.0.5.4

WebSphere Application Server 8.5.0.0 – 8.5.5.17

WebSphere Application Server 8.0.0.0 – 8.0.0.15

WebSphere Application Server 7.0.0.0 – 7.0.0.45

Solution

At present, IBM has released a patch to fix the vulnerability, and a security patch is also provided for the version that has been discontinued. Please the affected users install the patch as soon as possible for protection.

Recently, we have detected that researchers have published PoC for the remote code execution vulnerability of the SMBv3 protocol (CVE-2020-0796), which greatly increased the potential harm of the vulnerability. Users who have not fixed the vulnerability take measures as soon as possible for protection.

Microsoft Server Message Block 3.1.1 (SMBv3) protocol has a code execution vulnerability in the way it handles certain requests. An attacker can carefully construct a data packet and send it to an SMB server. Without authentication, it can execute arbitrary code on the target server. The attacker can deploy a malicious SMB v3 server and induce the user to connect to the server. Once the target user connects, the attacker’s customized malicious code can be executed on the computer. Because the above vulnerability is similar to the Eternal Blue vulnerability, it is easy to be used by worms to spread malicious programs, which may become a vulnerability widely used by malware and attackers.

Affected version

Windows 10 Version 1903 for 32-bit Systems

Windows 10 Version 1903 for ARM64-based Systems

Windows 10 Version 1903 for x64-based Systems

Windows 10 Version 1909 for 32-bit Systems

Windows 10 Version 1909 for ARM64-based Systems

Windows 10 Version 1909 for x64-based Systems

Windows Server, version 1903 (Server Core installation)

Windows Server, version 1909 (Server Core installation)

On April 14, a researcher released a demo video for exploiting this vulnerability

Our exploit team (@hugeh0ge, @_N4NU_) has succeeded at #SMBGhost pre-auth "remote" code execution. While SMBGhost has gathered attention due to the potential for RCE, as far as we know, nobody has published a PoC of RCE to date!!A detailed report will be released later.😉 pic.twitter.com/nwTpHWTQjD

Recently, Spring Cloud Config officially released a new version to fix directory traversal vulnerability. The vulnerability number is CVE-2020-5410, and the vulnerability level is medium.

Spring Cloud Config provides server-side and client-side support for externalized configuration in a distributed system. With the Config Server, you have a central place to manage external properties for applications across all environments. The concepts on both client and server map identically to the Spring Environment and PropertySource abstractions, so they fit very well with Spring applications but can be used with any application running in any language.

When processing the directory traversal sequence through the Spring Cloud Config Server module, this vulnerability is caused due to incorrect input verification. A remote attacker can send any specially designed HTTP request that can cause any file to be read.

Affected version

Spring Cloud Config: 2.2.0 to 2.2.2

Spring Cloud Config: 2.1.0 to 2.1.8

Solution

Upgrade to Spring Cloud Config to version 2.2.3 or 2.1.9, and place the Spring-Cloud-Config-Server service in the intranet, and use Spring Security for authentication

Recently, Apache officially released a security bulletin that fixed an Apache Kylin remote command execution vulnerability (CVE-2020-1956). There are some restful APIs in Kylin, which can connect the operating system commands with the string entered by the user. Because the user input is not properly verified, the attacker can execute any system command without verification. At present, the PoC vulnerability has been disclosed, and relevant users are requested to take timely measures to protect them.

Affected version

Kylin 2.3.0 – 2.3.2

Kylin 2.4.0 – 2.4.1

Kylin 2.5.0 – 2.5.2

Kylin 2.6.0 – 2.6.5

Kylin 3.0.0-alpha

Kylin 3.0.0-alpha2

Kylin 3.0.0-beta

Kylin 3.0.0 – 3.0.1

Unaffected version

Kylin = 2.6.6

Kylin = 3.0.2

Solution

At present, the Apache Kylin developer team has fixed the vulnerability in the latest versions 2.6.6 and 3.0.2. Please the users upgrade Apache Kylin to the unaffected version as soon as possible for protection.

If the relevant user is temporarily unable to perform the upgrade operation, the following temporary mitigation measures can be adopted: set kylin.tool.auto-migrate-cube.enabled to false to disable command execution

Parallels Desktop is the most popular virtual machine software under the MacOS platform, designed to provide high-performance virtual machine services.

Parallels Desktop has a memory out-of-bounds (OOB) vulnerability when implementing virtualized VGA devices. An attacker can cause a virtual machine to escape by running a special program inside the virtual machine. By exploiting this vulnerability, the attacker can execute arbitrary code on the physical host, and obtain the physical host control authority.

Recently, Cisco issued a notice saying that it fixed a high-risk vulnerability (CVE-2020-3280) in Cisco Unified Contact Center Express (Unified CCX). The vulnerability stems from the fact that during the deserialization operation of the software, the input provided by the user is not sufficiently restricted. The attacker can send a malicious Java object to trigger the vulnerability without authorization to execute arbitrary code.

Cisco Unified Contact Center Express (Unified CCX) is a customer relationship management component of a unified communications solution from Cisco in the United States. This component supports functions such as self-service voice service, call distribution, and customer access control.

Affected version

Cisco Unified CCX <= 12.0

Unaffected version

Cisco Unified CCX 12.0(1)ES03

Cisco Unified CCX 12.5

Solution

Cisco official has released a new version to fix this vulnerability, please users update to the unaffected version as soon as possible for protection.

Recently, Apache Tomcat issued a notice saying that a remote code execution vulnerability (CVE-2020-9484) originating from a persistent session was fixed. To exploit this vulnerability, an attacker needs to meet the following four conditions at the same time:

an attacker is able to control the contents and name of a file on the server; and

the server is configured to use the PersistenceManager with a FileStore; and

the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and

the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over;

When an attacker satisfies the above four conditions at the same time, an attacker can send a maliciously constructed request to cause a deserialization code execution vulnerability.

Affected version

Apache Tomcat 10.x < 10.0.0-M5

Apache Tomcat 9.x < 9.0.35

Apache Tomcat 8.x < 8.5.55

Apache Tomcat 7.x < 7.0.104

Unaffected version

Apache Tomcat 10.x >= 10.0.0-M5

Apache Tomcat 9.x >= 9.0.35

Apache Tomcat 8.x >= 8.5.55

Apache Tomcat 7.x >= 7.0.104

Solution

Apache Tomcat has officially released a new version to fix this vulnerability. It is recommended that affected users upgrade Tomcat to the unaffected version as soon as possible. Users who are inconvenient to upgrade can also temporarily disable the FileStore function or configure the value of sessionAttributeValueClassNameFilte separately to ensure that only objects with specific attributes can be serialized/deserialized.

A memory corruption vulnerability (CVE-2020-12651) was fixed in the latest version 8.7.2 of SecureCRT. When the CSI function receives a large negative number as a parameter, it may allow the remote system to destroy the memory in the terminal process, resulting in the execution of arbitrary code or the program crashes. An attacker may exploit this vulnerability in a manner similar to the SSH banner.

Affected version

SecureCRT Version < 8.7.2

Unaffected version

SecureCRT Version >= 8.7.2

Solution

Users should update SecureCRT to the Unaffected version. In addition, for hosts that cannot be fully trusted, avoid using terminal emulation software to connect, and beware of malicious hosts using vulnerabilities in terminal emulation software to harm the host.

]]>Top 10 Routinely Exploited Vulnerabilities in the past four yearshttps://meterpreter.org/top-10-routinely-exploited-vulnerabilities-in-the-past-four-years/
Fri, 15 May 2020 09:08:33 +0000https://meterpreter.org/?p=48172The US Cybersecurity and Infrastructure Security Agency (CISA) recently released a list of the ten...

The US Cybersecurity and Infrastructure Security Agency (CISA) recently released a list of the ten most commonly exploited vulnerabilities between 2016 and 2019, including seven Microsoft product vulnerabilities (Office, Windows, SharePoint, .NET Framework) Apache Struts vulnerability, an Adobe Flash Player vulnerability and a Drupal vulnerability, the list of CVE vulnerability numbers is as follows:

CVE-2017-11882

CVE-2017-0199

CVE-2017-5638

CVE-2012-0158

CVE-2019-0604

CVE-2017-0143

CVE-2018-4878

CVE-2017-8759

CVE-2015-1641

CVE-2018-7600

CISA recommends that IT security professionals use this list along with a similar list of vulnerabilities recently edited by Recorded Future, which focuses on the ten most commonly exploited vulnerabilities by cybercriminals in 2019.

In addition to the aforementioned vulnerabilities, CISA also highlighted several other vulnerabilities that were routinely exploited in 2020:

CVE-2019-11510 (affects Pulse Secure VPN server)

CVE-2019-19781 (affecting Citrix VPN devices)

Since the first quarter of 2020, with the popularity of coronavirus in the United States, malicious cyber attackers have targeted companies. CISA also specifically warned organizations to check their Microsoft Office 365 security configuration to find omissions and began to repair possible network security weaknesses in the corporate network.

There is a privilege elevation vulnerability when Windows handles errors related to the “Remote Access Common Dialog.” This vulnerability requires an attacker to physically touch the relevant device. An attacker who successfully exploited this vulnerability could run arbitrary code with high privileges and obtain full control of the device.

There is a UAF vulnerability in the graphical component of Windows. This vulnerability requires an attacker to obtain basic system login permissions. An attacker who successfully exploited this vulnerability was upgraded from a normal user authority to SYSTEM.

CVE-2020-1067: Windows remote code execution vulnerability

A remote code execution vulnerability exists in the Windows operating system’s processing of memory objects. This vulnerability requires an attacker to obtain a domain user account. An attacker who successfully exploited this vulnerability could execute arbitrary code with higher permissions on the affected operating system. And obtain full control of the device.

There is a null pointer dereference vulnerability in the Windows Diffie-Hellman protocol implementation. This vulnerability requires an attacker to perform TLS communication with the affected system. An attacker can trigger this vulnerability by sending a malicious client key exchange message during the TLS handshake. Successful exploitation of this vulnerability may cause equipment downtime as well as the corresponding lsass.exe process terminates. This leads to a denial of service. This vulnerability affects both the TLS client and the TLS server.

CVE-2020-0901: Excel remote code execution vulnerability

There is a remote code execution vulnerability in Excel’s processing of memory objects. This vulnerability requires an attacker to induce users to open a specially crafted Excel document. An attacker who successfully exploited this vulnerability could gain the same level of system control authority as the attacked user.

We recommend that users install the latest patches in a timely manner.

]]>CVE-2020-11932: Ubuntu server installer logs LUKS passwords used on the systemhttps://meterpreter.org/cve-2020-11932-ubuntu-server-installer-logs-luks-passwords-used-on-the-system/
Wed, 13 May 2020 02:40:03 +0000https://meterpreter.org/?p=48114The latest version of the Ubuntu Server installer leaked the password into its log file....

The latest version of the Ubuntu Server installer leaked the password into its log file. Subiquity is the installer for Ubuntu Server. It has been around for almost 3 years, but it was not used as the default support tool until Ubuntu 20.04 released at the end of last month. Subiquity has been maintained relatively crudely, but now it has become the default Ubuntu Server installer, which means that developers need to pay more attention to its maintenance, and soon a developer discovered one of the serious vulnerabilities.

This vulnerability is manifested as: the password of the LUKS volume will be displayed in various outputs, including autoinstall-user-data curtin-install-cfg.yaml curtin-install.log installer-journal.txt subiquity-curtin-install.conf.

The vulnerability is marked as CVE-2020-11932 with the severity of “Critical”. The developer has already fixed this vulnerability.

]]>Any PC produced before 2019 is vulnerable to “Thunderspy” attackshttps://meterpreter.org/any-pc-produced-before-2019-is-vulnerable-to-thunderspy-attacks/
Tue, 12 May 2020 15:10:29 +0000https://meterpreter.org/?p=48104Björn Ruytenberg, a security researcher at the Eindhoven University of Technology, revealed that all PCs...

Björn Ruytenberg, a security researcher at the Eindhoven University of Technology, revealed that all PCs manufactured before 2019 may be hacked due to defects in commonly used Thunderbolt ports.

Even if the PC is in sleep mode or locked, this attack called Thunderspy can read and copy all data from the user’s PC. In addition, it can steal data from encrypted drives.

Belkin shows off an early hand made a prototype of a Thunderbolt Express Dock at Intel’s IDF 2011 showcase

Thunderspy belongs to the category of evil-maid attacks, which means that it requires physical access to the device to attack it, so it is less utilized than other attacks that can be performed remotely. But on the other hand, Thunderspy is still a stealth attack. After the successful execution of the invasion, the criminals will leave almost no trace of exploitation.

In fact, as early as February 2019, a group of security researchers discovered a related intrusion event Thunderclap similar to Thunderspy. In the same year, Intel released a security mechanism to prevent drive-by Direct Memory Access (DMA) attacks, called Kernel Direct Memory Access Protection.

Ruytenberg pointed out that all Thunderbolt-equipped devices shipped between 2011 and 2020 are vulnerable. Devices that have delivered kernel DMA protection since 2019 are also vulnerable to attack to some extent.

Thunderspy vulnerabilities cannot be fixed in the software, which will affect future standards such as USB 4 and Thunderbolt 4, and will eventually require a chip redesign.

SaltStack security team issued a risk notice that there are multiple vulnerabilities in SaltStack, the vulnerability number is CVE-2020-11651/CVE-2020-11652, and the vulnerability level is serious.

SaltStack makes software for complex systems management at scale. SaltStack is the company that created and maintains the Salt Open project and develops and sells SaltStack Enterprise software, services and support. Easy enough to get running in minutes, scalable enough to manage tens of thousands of servers, and fast enough to communicate with them in seconds.

Salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

SaltStack exists an authentication bypass vulnerability/directory traversal vulnerability. A remote attacker can send a specially crafted request to control all servers in SaltStack and execute arbitrary commands.

CVE-2020-11651 is an authentication bypass vulnerability, an attacker only needs to send a specially-made request packet, bypass SaltStack permission management, and call the related functions in SaltStack for command delivery.

CVE-2020-11652 is a directory traversal vulnerability that allows an attacker to read any file on the SaltStack server by constructing a malicious request. This vulnerability causes sensitive information to leak.

Affected version

SaltStack：< 2019.2.4

SaltStack：< 3000.2

We recommend that users install the latest patches in a timely manner.

Recently, Juniper officially released a security bulletin to fix vulnerabilities in J-Web and Web-based (HTTP/HTTPS) services in Juniper Networks Junos OS (CVE-2020-1631). “A vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZTP) allows an unauthenticated attacker to perform local file inclusion (LFI) or path traversal.” An attacker can use this vulnerability to inject commands into the httpd.log file, read the file, or obtain a J-Web session token.

The Junos operating system (Junos OS) used in Juniper Networks high-performance network devices creates a responsive and trusted environment for accelerating the deployment of services and applications over a single network.

Affected version:

Junos OS 12.3

Junos OS 12.3X48

Junos OS 14.1X53

Junos OS 15.1

Junos OS 15.1X49

Junos OS 17.2

Junos OS 17.3

Junos OS 17.4

Junos OS 18.1

Junos OS 18.2

Junos OS 18.3

Junos OS 18.4

Junos OS 19.1

Junos OS 19.2

Junos OS 19.3

Junos OS 19.4

Junos OS 20.1

Unaffected version:

Junos OS 12.3X48-D101

Junos OS 12.3X48-D105

Junos OS 15.1X49-D211

Junos OS 15.1X49-D220

Junos OS 15.1R7-S7

Junos OS 16.1R7-S8

Junos OS 17.2R3-S4

Junos OS 17.4R2-S11

Junos OS 17.3R3-S8

Junos OS 17.4R3-S2

Junos OS 18.1R3-S10

Junos OS 18.2R2-S7

Junos OS 18.2R3-S4

Junos OS 18.3R2-S4

Junos OS 18.3R3-S2

Junos OS 18.4R1-S7

Junos OS 18.4R3-S2

Junos OS 19.1R1-S5

Junos OS 19.1R3-S1

Junos OS 19.2R2

Junos OS 19.3R2-S3

Junos OS 19.3R3

Junos OS 19.4R1-S2

Junos OS 19.4R2

Junos OS 20.1R1-S1

Junos OS 20.1R2 and all subsequent releases

Solution

At present, the Juniper official has fixed the vulnerability in the latest version. Please the users to upgrade to the unaffected version as soon as possible.

GitLab rewarded security researcher who reported serious remote code execution vulnerabilities on their platforms with $20,000. The vulnerability was discovered by William Bowling “vakzz”. Bowling is both a programmer and a bug bounty hunter. He disclosed the vulnerability on March 23 through the HackerOne Bug bounty platform.

Bowling said that GitLab’s UploadsRewriter function is used to copy files, and this is the source of this serious security problem. When an issue is used to copy across projects, the UploadsRewriter function checks the file name and patch. However, there is no verification check during this process, resulting in a path traversal problem, which may be used to copy any files.

According to the bug bounty hunter, if the vulnerability is exploited by an attacker, it may be used to “read arbitrary files on the server, including tokens, private data, configs, etc.” Both the GitLab instance and the GitLab.com domain are affected by this vulnerability, which was judged as a severe level by HackerOne.

Bowling added that by using any file reading vulnerability to grab information from GitLab’s secret_key_base service, the vulnerability can be turned into a remote code execution (RCE) attack. For example, if an attacker changes the secret_key_base of his instance to match the project, the cookie service can also be manipulated to trigger RCE attacks.

Currently, this vulnerability has been resolved in GitLab version 12.9.1.